If it Happened | We Covered it

December 5, 2017December 5, 2017

macOS Update Causes Problems Related to the “Root” Bug Patch

There was an issue with macOS High Sierra related to being able to access your system without a password. Apple was quick to respond with a solution, but it’s causing some other issues. Let me back up for a moment. The original issue was a massive hole in the operating system’s security measures. Essentially any person (or malicious program) was able to log into your Mac and install software, or change settings etc. Why? When asked for a username and password, they could simply enter “root” with no password and gain full access to your computer. This was incredibly scary. Like I said, Apple was able to come out with a patch about 18 hours after the bug was reported. Which is incredibly fast.

But the “fix” may now be the problem. Multiple Mac users have confirmed that they are running into further issues since installing the patch. Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the “root” bug reappears when they install the most recent macOS system update. What’s worse? Some users have tried re-installing Apple’s security patch after the upgrade, only to find that the “root” problem still exists until they reboot their computer. Note, there is no warning that a reboot is necessary.

The problem isn’t necessarily the patch itself, it’s the fact that they had to run the macOS update first, otherwise, the patch is essentially ineffective. Mac administrator Chris Franson, a technical director at Northeastern University, said that he repeated that sequence of events and found that the “root” bug persisted, too. But he noted that rebooting the computer—after updating to 10.13.1 and then re-installing the security fix—did cause the security update to finally kick in and resolve the issue. However, that security update doesn’t tell users to reboot after installing it.

On Monday, Apple updated their security page to say, “If you recently updated from macOS High Sierra 10.13.0 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly”. Thanks for that now, Apple. Don’t get me wrong, I know that people misunderstand instructions or they don’t read things properly, and they inevitably muck up these kinds of installations. But this one isn’t the user’s fault. It’s Apple’s for rushing a patch and then not notifying users on how to successfully apply the patch. Not everyone is going to be tech savvy enough to know that they should reboot their system. This is a typical IT solution, but not everyone is familiar with it.

That being said, Apple’s bug fix isn’t as bad as the original “root” problem. it’s not clear how many High Sierra users might have installed the security patch before upgrading to the most recent version of the operating system, or even if everyone who did so is affected. Even among those who were affected, many likely have rebooted their computers, which should leave them protected. But the messiness of Apple’s patch joins a pattern of security missteps in High Sierra’s code. Apple had issued an apology for the “root” security flaw, writing that their “customers deserve better” and promising to audit its development practices to prevent similar bugs in the future. And even before that most recent bug blowup, researchers had already shown—on the day of the operating system’s launch no less—that malicious code running on the operating system could steal the contents of its keychain without a password.

To me, this feels like yet another issue that Apple has been having lately with their products. I think I mentioned in another post that these kinds of things seem to keep happening. This concerns me as Apple used to be so polished, but perhaps they have too many products in their ecosystem that they can no longer keep on top of things from a quality perspective?